The demand for sovereign cloud is accelerating worldwide, and the UK has become one of the most closely watched jurisdictions shaping this trend. With recent UK sovereign policy and major supplier cloud solutions – including Oracle’s UK Sovereign Cloud and BT’s Sovereign Platform – the UK is now firmly positioning itself within a broader international movement driven by concerns over data jurisdiction and localisation, national security and geopolitical instability.
This article provides an overview of the key drivers for UK sovereign cloud within the broader international movement, key UK government and supplier initiatives, the impact of sovereign cloud on extraterritorial laws (such as the US Cloud Act) and key cloud model issues.
An International Movement
Sovereign cloud (being, in its purest sense, a cloud environment entirely operated, located and governed within a country’s borders) is no longer a regional curiosity. Gartner predicts that global sovereign cloud spending will increase significantly over the next few years, and that by 2030 more than 75% of all enterprises outside the US will have a digital sovereignty strategy that is supported by a sovereign cloud strategy. Gartner estimates that 20% of current workloads will shift from global to local cloud providers. Regionally, the Middle East, Asia/Pacific and Europe are projected to record the highest growth in sovereign cloud spending in 2026.1
Governments are expected to be the main buyers of sovereign cloud solutions, followed by regulated industries (such as financial services) and critical infrastructure organisations (such as energy, utilities and telecommunications). However as the movement develops it is clear there is no single definition of what is truly sovereign. Some view sovereign cloud as a purely technical state, whilst others insist that it must also be built upon separate corporate structures. Differences in this exist even within hyperscalers where AWS has arguably gone further than others in seeking to establish fully EU governed European sovereign cloud, whilst other hyperscalers focus on technical measures.
The drivers for this international movement include geopolitical tensions heightened by recent political situations in Venezuela, Greenland and of late the Middle East and concerns about relying on cloud providers that are potentially subject to foreign political influence, the treatment of data as a critical economic and geopolitical asset, concerns about the extraterritorial reach of legislation such as the US Cloud Act and the UK Investigatory Powers Act, digital sovereign policy shifts that treat cloud and compute as critical national assets, and regulatory pressures that are elevating national control over data and infrastructure as a key risk management driver. ‘Sovereignty trade’ arises where the benefits of localisation and increased legal certainty, i.e. more limited risk of mandatory disclosure, less uncertainty on adequacy/data transfers, reduced exposure to geopolitical risk (but with potential challenges on managing demand), outweigh the benefits brought by scale and elasticity of global solutions.
Europe has been at the forefront of investment in sovereign cloud capabilities and has some of the most developed sovereign cloud initiatives, including the Cloud Sovereignty Framework published by the European Commission in 2025 and Vir8ra (a European sovereign open-source cloud platform launched in 2025 to reduce dependency on non-European cloud providers).
The Contrary Perspective
The strengthening cloud sovereignty position in Europe has prompted Google to warn that the approach could undermine the Europe’s own competitiveness by restricting access to foreign technology 2, and European military officials to warn that tech sovereignty could have serious security consequence given the reliance on US software and networks to run critical systems. 3 At the Munich Security Conference in February, 15 technology companies (including Microsoft, Amazon and Google) launched a trusted tech alliance aiming to reassure governments that they would adhere to a set of common rules on security and data protection “regardless of a supplier’s nationality”. 4
Also, the recent Middle East conflict has also shown the resilience risks of ring fencing of data and the localisation agenda. Take for example the impact on data centres affected by the attacks; AWS has been advising clients to move workloads to Europe and the US to ensure continuity of service. Any disaster/FM type event that can hit an individual country is a key risk to sovereign cloud services.
Position in the UK
In July 2025 the UK government published its UK Compute Roadmap, a plan to build a “world class compute ecosystem” with investments in compute infrastructure and the establishment of AI Growth Zones around the UK to fast track power, planning and investment. The Roadmap ties compute to “sovereign, secure and sustainable capabilities,” signalling a policy intent to develop domestic supply across the AI hardware stack and align compute with a broader “Sovereign AI” agenda.
However, whilst the Roadmap emphasises sovereignty, it doesn’t explicitly deal with sovereign cloud and the UK government does not currently have a formal sovereign cloud policy. In fact, UK government cloud guidance explicitly confirms that government data does not need to be stored in the UK and advocates a risk-based approach, allowing the use of global public cloud and multi-region SaaS even if components reside outside the UK.5
Some government departments have developed their own sovereign cloud requirements. For example, in 2025 the Ministry of Defence agreed a £400m contact with Google to build and operate a UK sovereign cloud capability for defence and national security workloads, which requires an air gapped, UK controlled configuration with a local control plane and no dependence on the public internet.
As evidence of increasing demand, both Oracle and UK-owned British Telecommunications plc (known as BT) have recently introduced specific UK sovereign solutions on the UK market for organisations that (in the case of Oracle) “require UK data and operational sovereignty” and (in the case of BT) are part of a “growing priority” for UK private and public sector organisations responding to geopolitical instability and the need for enhanced resilience, control and regulatory compliance. BT reports broad private sector demand for sovereignty across multiple industries that manage sensitive or strategically important data.
It will be interesting to see whether BT’s 100% UK footprint provides any competitive advantage in the UK market.
Impact on Extraterritorial Laws
Sovereign cloud can potentially offer a mitigation strategy against the extraterritorial reach of legislation such as the US Cloud Act, which can compel US-based providers to produce data even when stored abroad. Established under the US Cloud Act and in force since 2022, the UK-US Data Access Agreement (DAA) allows UK and US law enforcement to directly request data held by telecommunications providers in the other party’s jurisdiction. We are not aware of any specific examples of UK sovereign cloud acting as a shield against US access requests under the DAA. However, it is reasonable to anticipate that UK sovereign cloud arrangements could at least restrict the ease with which US authorities could access data stored in the UK – e.g. on the basis that sovereign cloud aims to structure operations so the cloud provider does not maintain unilateral administrative control. It is difficult to quantify any data request risk under the US Cloud Act on the basis that we are not aware of any publicly released request numbers. It appears, though, that more requests have been made by the UK than the US. Sovereign cloud also alleviates potential concerns relating to the risk of access to data by governments, law enforcement and intelligence agencies in other countries. This is significant even where full or sectoral adequacy decisions are in place. For example, transfers of data to certain recipients in the USA fall within the terms of the EU-US Data Privacy Framework (DPF) and its UK Extension. The DPF is underpinned by a presidential Executive Order and accompanying Department of Justice regulations imposing privacy and civil-liberty safeguards on U.S. intelligence agencies together with a redress mechanism allowing EU individuals to seek independent and binding review of alleged unlawful U.S. surveillance. The relevant Executive Order 14086 was made by former President Biden and requires necessity and proportionality, strengthening oversight, mandating stricter handling requirements for collected data, and creating a multi-layer independent redress mechanism accessible to qualifying non-U.S. persons. These reforms are intended to mitigate issues arising from the Foreign Intelligence Surveillance Act (s.702) and Executive Order 12333, which previously allowed broad U.S. surveillance without adequate safeguards or redress for EU individuals— deficiencies that formed the basis for invalidating earlier adequacy frameworks. Although currently considered sufficient by the EU Commission, the protections afforded under DPF have been heavily criticised by European Privacy campaigners including Max Schrems, whose previous challenges led to CJEU decisions that struck down Safe Harbor and Privacy Shield (predecessors to the DPF). Schrems has indicated the possibility of a further challenge aimed at the DPF, casting doubt on its continued usefulness as a transfer mechanism.
Consequently, many organisations operating in the EU are faced with a choice between cost and uncertainty (for example, having to keep in place alternative transfer mechanisms such as Standard Contractual Clauses) to hedge against the possibility of the DPF being struck down in the future, or moving towards a sovereign cloud solution.
Hybrid Global and Sovereign Cloud Models
As has been the case with the adoption of hybrid public cloud and private on prem models, we anticipate that many UK organisations that are concerned about the risks that sovereign cloud is seeking to address would consider the adoption of hybrid global and sovereign cloud models. This is also a pragmatic view given the concerns highlighted above regarding the adoption of sovereign-only models.
A hybrid approach could leverage the benefits of both models, for example by allowing organisations to keep sensitive data within the UK while leveraging global cloud for scale, AI, analytics and speed that are difficult to harness the full benefits of in sovereign cloud or in private on prem infrastructure-only solutions. A hybrid approach could potentially allow organisations to strike a balance between sovereignty, operational resilience, cost control and access to global innovation by leveraging the best of both worlds.
Such an approach would, though, introduce a range of technical, legal and operational considerations that will need to be carefully assessed. A core consideration will likely involve the adherence to somewhat competing key principles which require, on the one hand, a determination of the data and workloads that can safely reside in global cloud regions and which require UK sovereign environments and how the distinction is managed and, on the other hand, consistent and secure interoperability between global and sovereign cloud environments.
For now at least, the UK appears to be taking a fairly flexible approach to sovereign cloud (and digital sovereignty more generally) when compared to more restrictive/ prescriptive approaches in regions such as Europe, and which is expected to facilitate the adoption of hybrid global and sovereign cloud models.
1 https://www.gartner.com/en/newsroom/press-releases/2026-02-09-gartner-says-worldwide-sovereign-cloud-iaas-spending-will-total-us-dollars-80-billion-in-2026; Gartner Survey Reveals Geopolitics Will Drive 61% of CIOs and IT Leaders in Western Europe to Increase Reliance on Local Cloud Providers
2 Google warns EU: sovereignty undermines competition – Techzine Global
3 Europe’s ‘tech sovereignty’ ambitions carry security risks, military warns
4 Europe’s ‘tech sovereignty’ ambitions carry security risks, military warns
5 Multi-region cloud and software-as-a-service – GOV.UK
The information in this article is for general informational purposes only and does not constitute legal advice, nor does it create an attorney-client relationship. The information is from Pinsent Masons, and does not reflect the views or opinions of ITechLaw.
